Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

CakePHP 3.0.5 XML Class SSRF

🗓️ 15 Oct 2015 00:00:00Reported by Takeshi TeradaType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 27 Views

CakePHP v3.0.5 XML Class SSRF Vulnerability, allows SSRF attacks through XML inpu

Code
`=============================================================================  
Title : CakePHP Xml class SSRF Vulnerability  
CVE Number : N/A (not assigned)  
Affected Software : Confirmed on CakePHP v3.0.5 (prior versions may  
also be affected)  
Credit : Takeshi Terada of Mitsui Bussan Secure Directions, Inc.  
http://www.mbsd.jp/  
Issue Status : v3.0.6/2.6.6 was released which fixes this issue  
=============================================================================  
  
Overview:  
-----------------------------------------------------------------------------  
CakePHP is an open-source web application framework for PHP.  
CakePHP (v3.0.5) was confirmed to be vulnerable to SSRF (Server Side  
Request Forgery) attacks. Remote attacker can utilize it for at least  
DoS (Denial of Service) attacks, if the target application accepts  
XML as an input. It is caused by insecure design of Cake's Xml class.  
  
Details:  
-----------------------------------------------------------------------------  
Here is an abstract from Cake\Utility\Xml.php (v3.0.3).  
  
96: public static function build($input, array $options = [])  
97: {  
....  
104: if (is_array($input) || is_object($input)) {  
105: return static::fromArray($input, $options);  
106: }  
107:  
108: if (strpos($input, '<') !== false) {  
109: return static::_loadXml($input, $options);  
110: }  
111:  
112: if (file_exists($input)) {  
113: return static::_loadXml(file_get_contents($input), $options);  
114: }  
  
The problematic part is line 112-114, where $input is treated as a  
URL (file path) and the method tries to fetch the content of the URL,  
if it does not contain any '<' character.  
  
Therefore, if values such as those shown below are given to it,  
the application will block.  
  
1. file:///dev/random  
-> blocks permanently (until so much entropy supplied)  
  
2. /dev/urandom  
-> blocks until hitting memory limit  
  
3. ftp://very_slow_host/a  
-> blocks until socket timeout  
  
Attackers can exhaust MaxClients (on Apache), just by sending  
the number of requests with these values instead of normal XML.  
  
CakePHP seems to accept XML inputs when RequestHandlerComponent,  
which is designed to handle XHR requests that may contain XML or  
JSON in their body, is enabled.  
  
http://book.cakephp.org/3.0/en/development/rest.html  
http://book.cakephp.org/3.0/en/controllers/components/request-handling.html  
  
When the component is enabled and a request has necessary headers  
(Content-Type and X-Requested-With), raw body of the request is  
passed to Xml::build() directly (i.e. without validation), which  
can obviously be used for attacks.  
  
However, it seems hard to successfully conduct other types of  
attack than DoS, because there are some hurdles for attackers.  
Firstly, usual web applications are unlikely to return the full  
request data. This means there is very little opportunity for file  
theft attacks, regardless of whether the target file is XML or not.  
The second hurdle is file_exists() check in line 112, which results  
in URLs with interesting schemes like "expect" and "http" being  
rejected.  
  
But still DoS and timing attacks like internal network scan using  
ftp URL's are possible. Additionally, in CakePHP v2, attackers can  
also use http(s) URLs for such attacks, as Cake2 accepts URLs with  
these schemes.  
  
Timeline:  
-----------------------------------------------------------------------------  
2015/05/27 Reported to CakePHP Security ML  
2015/05/29 Vender announced v3.0.6 & 2.6.6  
2015/10/15 Disclosure of this advisory  
  
Recommendation:  
-----------------------------------------------------------------------------  
Upgrading to the latest versions is recommended, if your app  
accepts XML data, as stated in the release note.  
  
https://github.com/cakephp/cakephp/releases/tag/3.0.6  
  
One thing I think should be noted is that the default behavior  
of the method (Xml::build()) was kept as it had been, in order to  
avoid compatibility problems.  
  
https://github.com/cakephp/cakephp/commit/2cde19f24c3679e8162e3abbce73818a8b0c02a0  
  
This means you need to modify your program, if you pass untrusted  
data to the method in your own program code to deal with XML.  
Technically, specifying a newly created option (readFile = false)  
for the method disables URL loading feature, thus can prevent DoS  
and other relevant attacks. See the URL above (github commit log)  
for details.  
  
--   
Takeshi Terada  
Mitsui Bussan Secure Directions, Inc.  
http://www.mbsd.jp/  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
15 Oct 2015 00:00Current
0.1Low risk
Vulners AI Score0.1
cakephpssrfxmlvulnerabilitysecuritydosupdateadvisoryssrf attackremote attackersdos attackrelease note
27